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Abstract 


There  is  little  question  that  Cyber  Defense  Analysis  is  a  complex  and  difficult  activity.  The  shear  immensity  of  cyberspace 
and  the  inconsistency  of  attacks  requires  a  comparable  effort  in  terms  of  aiding.  This  paper  suggests  that  an  understanding 
of  end  user  experiences  and  behaviors  could  be  utilized  to  provide  information  and  support  to  analysts.  In  order  to  attain 
that  imderstanding,  we  propose  that,  in  addition  to  and  in  support  of  the  development  of  new  technologies  and  tools, 
research  is  needed  that  focuses  on  understanding  the  interactions  between  cyber  attack,  end  users’  psychological  states, 
behavioral  indicators  of  those  states  and  individual  characteristics  that  are  likely  to  mediate  behavioral  responses. 
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1.  Introduction 

According  to  the  National  Security  Strategy,  “Cybersecurity 
threats  represent  one  of  the  most  serious  national  security, 
public  safety,  and  economic  challenges  we  face  as  a  nation” 
(2010).  In  addition  to  widespread  dependence  on 
networking  in  the  private  sector,  the  Department  of  Defense 
relies  on  the  cyberspace  domain  to  conduct  multiple 
operations  worldwide.  Increasing  dependence  brings  about 
increasing  vulnerability.  The  Department  of  Defense  (DoD) 
has  publicly  recognized  the  inadequacy  of  cybersecurity  and 
has  set  policy  to  increase  it  as  a  national  priority  (DoD, 
2011). 

Cyberspace  is  an  enormous  domain.  There  are  “over 
15,000  networks  and  seven  million  computing  devices 
across  hundreds  of  installations  in  dozens  of  countries 
around  the  globe”  operated  by  the  DoD  alone  and  over  2 
billion  independent  users  of  the  internet  (DoD,  2011).  Yet  a 
very  small  percentage  (less  than  0.1%)  of  our  military 
conducts  or  supports  cyber  defense.  Cyber  Defense 
Analysts  are  expected  to  detect,  report,  and  mitigate 
damages  from  intrusions  in  a  domain  that  does  not  occupy 
space  in  the  same  way  as  other  domains.  Their  task  requires 
vigilance  intermittent  with  periods  of  high-pressure  and  time 
sensitive  activities.  Attacks  can  be  very  limited  and 
camouflaged,  making  them  difficult  to  detect.  Additionally, 
determining  the  potential  impacts  of  an  intrusion  is  not 
straight  forward. 

The  user  of  the  information  is  the  first  person  affected 
when  there  is  a  system  compromise.  User  behaviors  may 
change  based  on  the  ease  of  their  interactions  with  their 
computers.  As  users  are  continuously  interacting  with  the 
systems  that  are  monitored  by  analysts  as  well  as  more 
directly  involved  in  the  missions  that  would  be  impacted  by 


a  cyber  attack  on  those  systems,  it  is  our  contention  that 
information  about  combined  user  behaviors  should  be 
exploited  to  help  inform  cyber  operators  of  systemic 
problems.  But  before  we  can  adequately  make  use  of  user 
behavior,  we  must  understand  it.  Therefore,  we  propose  that 
our  cyber  research  strategy  should  include  an  understanding 
of  the  effects  of  an  attack  on  end  users. 

2.  The  User  as  Sensor 

Often  the  first  impacts  of  a  cyber  attack  are  felt  by  the  end 
user  of  the  technology.  There  are  many  more  end  users  than 
cyber  defense  analysts,  but  even  if  the  end  users  are  slowed 
down  or  otherwise  frustrated  by  a  problem  with  their 
computer,  they  do  not  necessarily  immediately  consider  the 
possibility  of  a  cyber  attack.  Think  about  the  last  time  your 
system  was  slow  or  a  webpage  that  you  were  trying  to 
access  would  not  load.  Did  you  automatically  assume  that 
someone  had  hacked  into  your  system?  Did  you 
immediately  call  the  help  desk  or  tech  support?  Do  you 
believe  that  you  should  have  done  so? 

Problems  experienced  by  a  single  user  are  less  often  not 
the  result  of  a  cyber  attack.  However,  users  are  not  in  a 
position  to  determine  if  it  their  experiences  are  isolated  or 
common  with  other  users  interacting  with  the  same 
information  systems.  The  latter  could  be  an  indicator  of  a 
cyber  attack  that  may  not  be  easily  detectable  without  using 
the  human  as  a  sensor.  Enhanced  understanding  of  end  user 
interaction  experiences  could  be  utilized  by  cyber  analysts  to 
increase  the  likelihood  of  intrusion  detection.  As  users  do 
not  necessarily  report  problems  immediately  or  at  all,  an  end 
user  experience  sensing  capability  could  provide  significant 
additional  information  to  enhance  cyber  defense. 
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Suppose  that  the  network  within  which  a  user’s  computer 
resided  was  monitored  by  an  automated  system.  Suppose 
further  that  the  automated  system  could  sense  when  that  user 
became  agitated  or  frustrated  as  that  user  interacted  with  his 
or  her  computer.  Of  course  there  are  many  reasons  why  a 
user  could  be  agitated  or  frustrated,  but  now  suppose  that  the 
database  he  or  she  was  accessing  was  also  being  access  by 
other  users  on  the  network,  and  a  large  portion  of  those 
users  were  also  displaying  signs  of  agitation  or  frustration. 
The  combined  information  could  be  used  by  the  automated 
system  to  suggest  that  there  is  a  potential  problem  with  that 
database.  As  an  individual  using  the  computer,  the  user 
would  probably  have  been  unsure  as  to  whether  it  was  his  or 
her  computer,  the  network,  the  database,  another 
application,  or  something  else  that  causing  the  problem  and 
may  simply  have  decided  to  try  again  later  or  perhaps  just 
cope  with  the  frustration.  If  he  or  she  had  known  that  others 
were  having  the  same  problem,  the  user  might  have  reported 
the  problem  or  might  have  just  assumed  that  it  had  already 
been  reported.  If  the  technology  was  in  place  that  could 
monitor  and  correlate  user  activity  and  behavior,  that  system 
could  not  only  automatically  report  potential  problems  once 
some  threshold  is  met  but  could  also  inform  the  computer 
analyst  of  which  users  were  being  impacted. 

3.  Understanding  Interactive  Behavior 


personality  and  emotion,  however,  reveals  that  much  less 
has  been  done  to  investigate  these  relationships.  The  most 
relevant  articles  pertain  to  either  cyber  smearing  of 
corporations  or  selection  of  personnel  (end  users)  who  will 
behave  more  cautiously  in  the  cyber  domain. 

We  are  just  beginning  to  explore  these  relationships.  The 
first  experiment  that  we  have  undertaken  investigates  the 
relationships  between  cyber  manipulations,  affective  state, 
personality  traits,  and  performance.  Now  that  the  issue  of 
cyber  defense  is  becoming  more  prominent,  we  hope  that 
others  will  also  conduct  experimentation  that  will  allow  us 
to  more  fully  develop  this  model. 

In  order  to  capitalize  on  user  affective  state,  we  must  be 
able  to  accurately  link  changes  in  human-computer 
interactive  behavior  to  affect  and  to  find  and  exploit 
technologies  that  can  track  and  measure  those  changes. 
There  is  a  growing  literature  on  physiological  measures  of 
affect  (e.g.  Gouzi,  et  ah,  2011;  Kim  and  Andre,  2008). 
These  measures  range  from  fairly  intrusive  measures  such  as 
EEG  (Papousek,  et  al.,  2011)  to  less  intrusive  measures  such 
as  video  analysis  of  facial  expression  and  gestures  (Zhou 
and  Wang,  2005)  to  very  unintrusive  measures  such  as 
keyboard  pressure  (Hai-Rong,  et.  al.,  2008).  Less  research 
is  available  on  the  validity  and  reliability  of  such  measures 
in  operational  environments  or  the  relationships  and  trade¬ 
offs  between  accuracy  and  intrusiveness. 


In  order  to  capitalize  upon  user  behaviours,  more  must  be 
understood  about  how  cyber  attacks  are  likely  to  affect  user 
states  and  also  how  those  state  changes  are  manifest  in 
interactive  behaviour.  We  believe  that  this  relationship  is 
not  straightforward  and  is  likely  to  be  mediated  by 
individual  characteristics  and  experience  among  other  things 
(see  Fig  1).  Our  lab  has  recently  begun  a  research  program 
to  explore  these  relationships  and  more  completely  develop 
this  model. 


Figure  1.  Proposed  Model  of  Cyber  Effects 


4.  Conclusions  and  Future  Directions 

It  is  important  that  we  understand  the  role  and  needs  of 
Cyber  Defense  Analysts  and  develop  tools  to  assist  them  in 
their  work.  We  propose  that,  although  it  is  critical  to 
conduct  research  focused  on  Cyber  Defense  Analysis, 
research  should  be  extended  to  investigation  of  impacts  of 
cyber  attack  on  end  users.  Knowledge  gained  in  this  area 
could  yield  information  that  not  only  provides  analysts  with 
more  timely  warnings  of  potential  intrusions,  but  could  also 
help  them  to  determine  impacts  of  those  intrusions  upon  the 
larger  mission. 

We  have  proposed  a  descriptive  model  of  the  effect  of 
cyber  attack  on  user  performance  and  suggested  some  of  the 
potential  relationships.  We  believe  that  it  is  important  to 
further  develop  and  validate  this  model  and  to  go  beyond 
description  to  attempt  to  understand  the  mathematical 
relationships  among  its  components  to  support  its  practical 
application.  More  must  be  learned  about  the  validity  and 
reliability  of  such  measures  in  operational  environments. 
Additional  research  should  be  conducted  to  support  a  greater 
understanding  of  the  relationships  and  trade-offs  between 
predictive  accuracy  and  intrusiveness. 


An  investigation  of  the  literature  reveals  that  a  fair 
amount  of  research  has  been  done  that  can  inform  the 
linkage  between  psychological  state  and  performance  and  its 
mediating  factors.  A  literature  search  on  cyber,  cyber 
defense,  cyber  security  or  hacking  combined  with 
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